Overview of firewall protection and penetration technology

(1) Introduction to Firewall

A firewall is a function that isolates internal networks from external networks or the Internet to protect internal networks or hosts. A Simple Firewall can be implemented by the access control list of the Router and Layer 3 switches, or by a host or even a sub-network. You can purchase specialized hardware firewalls or software firewalls for complicated implementation.

The functions of the firewall include:
1. filter out insecure services and illegal users
2. control access to special sites
3. Convenient endpoints for monitoring Internet security and warning

Firewalls are not omnipotent, and there are also many areas where firewalls are powerless:
1. The firewall cannot prevent attacks that bypass the firewall. For example, the firewall does not limit connections from the internal network to the external network, so some internal users may form a direct connection to the Internet, thus bypassing the firewall, resulting in a potential backdoor. malicious external users are directly connected to the internal user's machine and use the internal user's machine as a stepping stone to initiate unrestricted attacks that bypass the firewall.
2. The firewall is not an InterScan, and cannot intercept virus-containing data transmitted between networks.
3. The firewall cannot perform data-driven attacks.

Therefore, we cannot rely too much on the firewall. Network security is a whole, and it does not have any outstanding configuration. Network security follows the "Barrel Principle ".

Generally, firewalls have the following features:

1. Extensive Service Support: through the combination of dynamic and application-layer filtering capabilities and authentication, the WWW browser, HTTP server, and FTP can be implemented;

2. Encryption and support for private data: ensure that the virtual private network and business activities through the Internet are not damaged;

3. client authentication only allows specified users to access the internal network or select services: an additional part of secure communication between the enterprise public network and branches, business partners, and mobile users;

4. Anti-spoofing: spoofing is a common means of obtaining network access from the outside. It makes data packets come from inside the network. The firewall can monitor such data packets and discard them;

5. C/S mode and cross-platform support: enables the management module running on one platform to control the monitoring module running on another platform.

Let's take a look at the working principle and advantages and disadvantages of traditional firewalls:

1. Working Principle of (traditional) packet filtering Firewall

Packet filtering is implemented at the IP layer. Therefore, it can be completed only by a router. Package filtering determines whether a packet is allowed to pass through Based on header information such as the package's source IP address, destination IP address, source port, destination port, and packet transfer direction. Filter user-defined content, such as IP addresses. The operating principle is that the system checks data packets at the network layer and has nothing to do with the application layer. The packet filter is widely used because the time used by the CPU to process packet filtering is negligible. In addition, this protection is transparent to users, and legal users cannot feel its existence when they access the network, making it easy to use. In this way, the system has good transmission performance and is easy to expand. However, such firewalls are not secure because the system does not perceive the information on the application layer. That is to say, they do not understand the communication content and cannot filter the information at the user level, that is, it cannot identify different users and prevent IP address theft. If an attacker sets the IP address of the host to a valid IP address of the host, the attacker can easily use the package filter to easily crack the attack. Based on this mechanism, the packet filtering firewall has the following defects:

Communication Information: The packet filtering firewall can only access the header information of some data packets;

Communication and application status information: the packet filtering firewall is stateless, so it cannot save the status information from communications and applications;

Information Processing: the packet filtering firewall has limited ability to process information.

For example, Unicode attacks targeting Microsoft's IIS vulnerability are caused by port 80 allowed by the firewall, while the packet filtering Firewall cannot check the packet content, therefore, the firewall is equivalent to a virtual system that provides web services without corresponding patches. Even after the firewall is blocked, attackers can easily obtain the permissions of Super Users.

The disadvantage and disadvantage of the packet filtering firewall can be solved at the application layer. Next let's take a look at the Application Layer Gateway

2. Application Gateway

1. Application Gateway Proxy)

Provides authorization check and proxy services at the network application layer. When an external host attempts to access a protected network, it must first pass authentication on the firewall. After passing identity authentication, the Firewall runs a program specially designed for the network to connect external hosts to internal hosts. In this process, the firewall can restrict the host, access time, and access method accessed by users. Similarly, users in the protected network must log on to the firewall before accessing the external network.

The advantage of the application gateway proxy is that it can not only hide internal IP addresses, but also authorize a single user. Even if an attacker steals a valid IP address, it cannot pass strict authentication. Therefore, application gateways are more secure than message filtering. However, this authentication makes the application gateway non-transparent and users must be authenticated each time they connect, which brings a lot of inconvenience to users. This proxy technology requires a dedicated program for each application.

2. Loop-level Proxy Server

That is, the proxy server, which is applicable to multiple protocols but cannot interpret the application protocol, and information needs to be obtained in other ways, loop-level proxy servers generally require modified User Programs.

A socket Server is a loop-level proxy Server. Sockets (Sockets) is an international standard for the network application layer. When the protected network client needs to interact with the external network, check the customer's User ID, IP source address, and IP destination address on the server set on the firewall. After confirmation, establish a connection with an external server. For users, the information exchange between the protected network and the external network is transparent and the existence of the firewall is invisible because the network users do not need to log on to the firewall. However, the application software on the client must support the Socketsified API. The IP addresses used by users on the protected network to access the public network are also the IP addresses of the firewall.

3. Managed servers

The managed server technology places insecure services such as FTP and Telnet on the firewall so that it acts as a server at the same time and responds to external requests. Compared with the application-layer proxy implementation, the managed server technology does not have to write programs for each service. In addition, when users in the protected network want to access the external network, they also need to log on to the firewall first, and then send a request to the external network. In this way, the firewall can only be seen from the external network, this hides the internal address and improves security.

4. IP Tunnels)

If two subsidiaries of a large company are far apart, they can communicate over the Internet. In this case, IP Tunnels can be used to prevent hackers from intercepting information on the Internet, thus forming a virtual enterprise network on the Internet.

5. Network Address converter (NAT Network Address Translate)

When a protected network is connected to the Internet, you must use a valid IP address to access the Internet. However, due to limited legal Internet IP addresses, and protected networks often have their own IP address planning (informal IP addresses ). The network address converter is to attach a valid IP address set to the firewall. When a user in the firewall wants to access the Internet, the firewall dynamically selects an unallocated address from the address set and assigns it to the user. The user can use this legal address for communication. In addition, for some internal servers such as Web servers, the network address Converter allows them to be assigned a fixed legal address. Users of the external network can access internal servers through the firewall. This technology not only relieves the conflict between a small number of IP addresses and a large number of hosts, but also hides the IP addresses of internal hosts and improves security.

6. Isolate the Domain Name Server (Split Domain Name Server)

This technology isolates the Domain Name Server of the protected network from the domain name server of the external network through the firewall, so that the Domain Name Server of the external network can only see the IP address of the firewall, unable to understand the specific situation of the protected network, so as to ensure that the IP address of the protected network is not known by the external network.

7. Mail Forwarding)

When the Firewall uses the technologies mentioned above to make the external network only know the IP address and domain name of the firewall, emails sent from the external network can only be sent to the firewall. At this time, the firewall checks the email. Only when the source host that sends the email is allowed to pass the email can the firewall convert the destination address of the email and send it to the internal email server, it is used for forwarding.

The application gateway checks all application-layer information packages and puts the checked content into the decision-making process. This improves security. However, they are implemented by breaking the Client/Server mode. Each client/server communication requires two connections: one from the client to the firewall, and the other from the firewall to the server. In addition, each proxy requires a different application process or a backend service program. In this way, if a new application has to be added, otherwise, the service cannot be used, and the scalability is poor. Based on this mechanism, the application gateway firewall has the following defects:

Connection restrictions: each service requires its own proxy, so the number of available services and scalability are limited;

Technical restrictions: Application Gateway cannot provide proxies for UDP, RPC, and other services in common protocol families;

Performance: The implementation of the application gateway firewall sacrifices some system performance.
Architecture and combination of firewalls

1. Screening Router)

This is the most basic component of the firewall. It can be implemented by a router specially produced by the manufacturer, or by a host. Shield the router as the only channel for internal and external connections. All packets must pass the check here. The IP layer-based packet filtering software can be installed on the router to implement packet filtering. Many routers have packet filtering configuration options, but they are generally relatively simple.

The danger zone of a firewall consisting of a shield router includes the router itself and the host allowed by the router. Its disadvantage is that once attacked, it is difficult to discover and cannot identify different users.

2. Dual-host Gateway)

Any system with multiple interface cards is called multi-host. The dual-host gateway uses a host with two NICs as a firewall. The two NICs are connected to the protected network and the external network respectively. The host runs firewall software, which can forward applications and provide services.

The system software of the bastion host is used to maintain system logs, copy hardware logs, or remote logs. This is useful for future checks. However, this does not help network administrators determine which hosts on the Intranet may have been infiltrated by hackers.

A critical weakness of the dual-host gateway is that, once an intruder intrude into the bastion host and only has the routing function, any online user can access the Intranet.

3. Screened Host Gateway)

The shielding host gateway is easy to implement and secure, so it is widely used. For example, if a group filters vrouters to connect to an external network and a bastion host is installed on an internal network, a filtering rule is usually set up on the vro, and the bastion host becomes the only host that can be directly accessible from the external network, which ensures that the internal network is not authorized to external